Tom Ivar Helbekkmo <[email protected]> wrote:
> ...
>
> It's fine and all, but I tend to think that the simplistic first version
> might automatically expand to the code in the second one. In fact, the
> documentation seems to agree with me:
>
> By default, a stateful rule implies SYN-only flag check ("flags
> S/SAFR") for the TCP packets. It is not advisable to change this
> behavior; however, it can be overridden with the flags keyword.
>
> The code or the documentation needs to change. I vote for the code. :)
There is a difference between these two:
pass stateful out final all
pass stateful out final proto tcp all
The latter will generate an implicit "flags S/SAFR", while the former
will not as it covers non-TCP protocols too. I agree that this is not
really intuitive and the documentation did not clarify this either.
--
Mindaugas
